Radio frequency identification (RFID) and near field communications (NFC) devices are becoming increasingly used for storing sensitive personal information, for example RFID tagged passports and the use of electronic wallets. This storage of sensitive personal information on RFID and NFC devices makes the devices targets for identity theft, for example passports have been cloned whilst on route to their rightful owners based upon information extracted from an RFID tag embedded in the passport, the RFID tag having been read through the envelope in which the passport was contained.
The use of electromagnetically shielded wallets can reduce the likelihood of identity theft from high frequency (HF) and ultra-high frequency (UHF) RFID tags whilst they are not being actively used. However, at the point of use, for example when paying for goods or service, the RFID tag must be removed from its shielded wallet and is vulnerable to being read by a skimming reader. Currently, attempts have been made to cryptographically protect data stored on the RFID tag. For example, “rolling code” schemes have been used in which the tag identifier information is altered after each scan, this reduces the re-usability of any data captured by a third party. More sophisticated devices use “challenge and response authentications” protocols using symmetric key cryptography, where a reader challenges a tag, the tag responds with an encrypted response based upon an embedded symmetric key.
Such cryptographically based protections have a number of disadvantages associated with them, in particular higher production cost and power consumption compared to that of non-encrypted RFID tags. Additionally, the limited computational power available in RFID tags precludes the employment of powerful encryption.
A further problem associated with current RFID tag systems is the susceptibility of tag readers to denial of service (DoS) in which the reader is swamped by spurious signals. This reduces the availability of the RFID reader which can, for example result in lost sales and revenue. There is currently no ready way to detect an attempted DoS attack, other than the failure of the reader.